malwarewikiaorg-20200223-history
Spanska
Main = The Spanska is a family of viruses written by Spanska from 29A, having parasitic and encrypted attributes, and it runs on DOS. The main characteristic of this family is the creative payload. Generally, they infect executables except COMMAND.COM. Some of these variants are memory resident while some of them infect a number of files during runtime instead, and depend on the system time they trigger their payloads. Spanska viruses do not have any dangerous code of payload. There are 14 known variants in 5 different versions, having their own names. No pasaran variant: *Virus.DOS.Spanska.1000 *Virus.DOS.Spanska.1008 *Virus.DOS.Spanska.1120.a Cosmos variant: *Virus.DOS.Spanska.1120.b Mars Land variant: *Virus.DOS.Spanska.1474 *Virus.DOS.Spanska.1500 *Virus.DOS.Spanska.1509 Spanska II (Elvira variant): *Virus.DOS.Spanska.3698 (no activation) *Virus.DOS.Spanska.4208 *Virus.DOS.Spanska.4249 *Virus.DOS.Spanska.4250 *Virus.DOS.Spanska.4269 *Virus.DOS.Spanska.4270 IDEA variant: *Virus.DOS.IDEA.6126 References #Index of the Spanska family on VX Heaven |-| Cosmos variant = Spanska (Cosmos variant) is a parasitic encrypted virus on DOS, written by Spanska from 29A. This virus does not stay memory resident. Spanska.1120.b is the only variant. Payload When the virus is run, it infects first 6 uninfected DOS executable files by writing itself to the end of their binaries. The virus does not infect COMMAND.COM and files that are smaller than 1,500 bytes or larger than 56,000 bytes in size. If there is no more files to infect in the current directory, it would change to other directories in order to find more files to infect. When the minute is equal to 52 and second is less than or equal to 20, it displays a video effect of a simulated cosmos, and also the text: To Carl Sagan, poet and scientist, this little Cosmos. (Spanska 97) This variant is not equivalent to Spanska.1120.a, which belongs to the version of No Pasaran. Media References #Description of the Spanska virus on F-Secure Lab |-| No Pasaran variant = The No Pasaran variant of Spanska 'is a parasitic encrypted virus on DOS. It is written by Spanska from 29A. The phrase "No Pasaran!" ("They shall not pass!") refers to a famous speech given by Dolores Ibarruri, a Spanish freedom fighter. It was appeared in her radio speech in 1936. Spanska.1120.a is the initial release in 1996, which contains bugs that might hang the system during execution, but not in those infected files. Spanska.1000 and 1008 are the "version 2" as stated in the payload, as they fixed some bugs since the 1,120-byte variant. These variants do not stay memory resident after an execution. There are 3 variants in this version: Virus.DOS.Spanska.1000, Virus.DOS.Spanska.1008, and Virus.DOS.Spanska.1120.a. Payload First 7 uninfected DOS executable files will be infected when the virus is run. MD5 hashes: When an infected file is run at the time which the minute equals to 22 and the second is less than 30, the virus activates with a video effect of two flame animations at the lower corners. Spanska.1000 and 1008 These variants displays the messages in sequence: Remember those who died for Madrid No Pasaran! Virus v2 by Spanska 1997 Spanska.1120.a This variant is an earlier release, it displays the messages in sequence: Remember those who died for Madrid No Pasaran! Virus © Spanska 1996 Media Spanska1000 payload1.png|The first message in the payload. References #Description of Spanska on F-Secure Labs |-| Mars Land variant = 'Spanska (Mars Land) is a parasitic encrypted DOS virus, written by Spanska form 29A. There are 3 variants in this version: Virus.DOS.Spanska.1474, Virus.DOS.Spanska.1500, and Virus.DOS.Spanska.1509. The virus does not stay memory resident. When the virus is run, it infects first 3 uninfected executable files in both COM and EXE formats in current directory, i.e. 6 files are infected on each run. The virus does not infect COMMAND.COM and files that are smaller than 600 bytes. MD5 hashes: Payload The virus activates when the minute is equal to 30, and the second is less than or equal to 30. It displays a high quality payload of a Mars-esque surface scrolling by and captions. For its time, it was considered to be a high quality modeling, but by today's standards, this is considered to be low quality. Spanska.1474 displays the caption: SPANSKA PresentMars L Mars Landing|μ♥ *.* *.C* *.E* . The later part of the caption (containing garbage letters and filename extensions) is expected not to be shown. Spanska.1500 and 1509 are the bug fixing releases since Spanska.1474, they display the caption: Mars Land, by Spanska (coding a virus can be creative) The virus contains the internal text string: *.* *.C* *.E* Media Spanska DOS Virus|Spanska (Mars landing) virus review by danooct1 Virus.DOS.Spanska.1500-0|Spanska (Mars landing) virus review by Alles Sandro References #Description of Spanska on F-Secure Lab |-| IDEA variant = Virus.DOS.IDEA.6126 also referred as Spanska.6126, is a memory resident parasitic polymorphic encrypted DOS virus, written by Spanska from 29A. This virus is also identified as Spanska by some antiviruses and it is the successor of Spanska_II. After the virus has been loaded into memory, it hooks INT 21h to infect any executable that is run, and it ignores files having the filename: COMMAND VSAFE The virus behaves stealthy and the infection size varies in different files, but the virus still can show absolutely no observable size change as it stores the size value in the infected files. The TSR memory usage of the virus is 18,400 bytes. Payload When an infected program is run when the minute is equal to 30, and the second is less than or equal to 16, the virus activates with a video effect, by spinning two different colored texts is Matrix-styled. Warning! strong crypto inside Files infected by Spanska_II may also be detected by IDEA, but it may still infect these files when run, as long as IDEA stays in memory. The virus contains the internal text strings: IDEA virus © Spanska 98 Thx to Rajaat (poly), F Mirza (IDEA), Wild Worker (zip), Solar D (road) |-| Spanska II = The Elvira variant of Spanska, or Spanska_II in simple, is a memory resident parasitic encrypted virus on DOS, written by Spanska from 29A. It was first discovered in September 1997. There are 6 variants in 3 versions, represented by the following: Virus.DOS.Spanska_II.3698, Virus.DOS.Spanska_II.4208 and Virus.DOS.Spanska_II.4249 The virus infects C:\WINDOWS\WIN.COM by instant when it is loaded into memory, and then it starts infecting executable files that are run. The virus behaves stealthy so that there is no observable file size change. The virus ignores files that are smaller than 500 bytes or larger than 56,000 bytes. And it does not infect files that their name begins with any of the following pairs of letters: AV CO DR FI FV F- GU IV NA SC TB VI VS As the result, COMMAND.COM would not be infected. If an executable with its filename begins with any of the following pairs of letters, the virus will no longer hide itself (sealth routine disabled): AR BA LH PK RA The following table shows the memory usage of the variants. MD5 hashes: Payload When an infected program is run at the time that the minute is equal to 30, and second is less than or equal to 16, the virus activates and displays a scrolling text in Star Wars style. These variants contain more than one combination of text strings to be displayed, depend on the system day they pick one of them, which counts from January 1st in any year and cycles every certain days, depends on the number of groups of text available. In any leap year, the text to be displayed on February 29th is same as that on March 1st, and the version of the text to be picked is Day 3. Spanska_II.3698 This variant contains no payload so it does not manifest itself at anyway. Spanska_II.4208 This variant has 2 combinations of text strings available. The common text string is displayed at first: SORRY ! Day 1: DAS IST BLOß EINE GECRACKTE VERSION VON SPANSKA. Translation (from German): THIS IS MERELY AN CRACKED VERSION OF SPANSKA. The original content of the last sentence is: VERSION VON SPANSKA.4250 But the last four characters were not displayed due to the lack of space. Day 2: This part seems to be corrupted and it displayed garbage characters instead. Spanska_II.4249, 4250 and 4270 These variants have 3 combinations of text strings available. The common text string is displayed at first: ELVIRA ! And one the following groups of text strings is selected to display. Day 1: Pars, Reviens, Respire, Puis repars. J'aime ton mouvement. Translation (from French): Leave, Return, Breathe, Then leaves. I like your movement. Day 2: Black and White Girl from Paris You make me feel alive. Day 3: Bruja con ojos verdes Eres un grito de vida, un canto de libertad. Translation (from Spanish): Witch with green eyes You're a cry of life, a song of freedom. Spanska_II.4269 This variant also have 3 combinations of text strings available. The common text string is displayed at first: BIRGIT ! And one the following groups of text strings is selected to display. Day 1: Blond and White Girl from Italy You make me feel silly. Day 2: Du bist meine Seele (?) Mein Leib ! Ich werde mich ändern Translation (from German): You are my soul My Body! I will change myself Day 3: Gib mir no' 1 Chance! Es tut mir sehr leid ! Verzeih mir bitte !!! Translation (from German): Give me a chance! I am very sorry! Please forgive me!!! Variants This family has 6 variants in total: *Virus.DOS.Spanska_II.3698 *Virus.DOS.Spanska_II.4208 *Virus.DOS.Spanska_II.4249 *Virus.DOS.Spanska_II.4250 *Virus.DOS.Spanska_II.4269 *Virus.DOS.Spanska_II.4270 These variants are unofficially called as "Star Wars variant". Spanska_II.4208 and 4269 belong to different authors. Spanska_II.4269 requires debugging in order to let the virus to load into memory, otherwise it would simply hang or even crash the system without infecting any file or delivering the payload. Virus.DOS.IDEA.6126 is the successor of Spanska_II, as it also belongs to the Spanska family. Files infected by IDEA may also be detected by Spanska_II, but it does not avoid such files so it infects these files as usual when run, as long as Spanska_II stays in memory. Spanska_II.3698, 4249, 4250 and 4270 contain the encrypted internal text strings: C:\WINDOWS\WIN.COM © SPANSKA 97 Spanska_II.4208 contains the encrypted internal text strings: © SunSoft Team EXE C:\WINDOWS\WIN.COM © SunSoft Team 98 Spanska_II.4269 contains the encrypted internal text strings: C:\WINDOWS\WIN.COM Doctor Rave 98 Media Spanska DOS Virus "Star Wars" Variant|Spanska_II virus review by danooct1 References #Description of Spanska on F-Secure Labs zh:IDEA it:Spanska zh:Spanska Category:DOS virus Category:DOS Category:Virus Category:29A Category:Assembly Category:TSR Category:Encrypted virus